Properly designed risk framework supports risk discussion in your company. It combines indicators that allow estimating risk probability, risk impact, and risk control actions.
Here are the key topics of the article:
- Risk definition
- KRI vs. KPI
- KRI template
- The list of popular KRIs
- GRC software: KRIs in BSC Designer
KRIs are not that different from KPI; Risk Management frameworks are not that different from the Balanced Scorecard. Let’s start the discussion about Key Risk Indicators best practices.
The Idea of Risk
What is risk and how can one measure and control it? Intuitively one understands that risk is something regarding a danger/threat that might happen with a certain probability and result in some type of negative outcomes. This perception is generally correct with one exception: risk doesn’t always need to be a threat for a business, it might be an opportunity as well.
The older definition of risk in ISO was “a chance or probability of loss,” while the latest ISO 31000:2009 defines risk as “the effect of uncertainty on objectives.”
In other words, the modern definition of risk recognizes that risk is not only about threats, but about opportunities as well.
Losing your key employee might be a threat on the one hand, but on the other hand you might find a new one that will bring to your company new skills and ideas. Everything depends upon the business context (business objectives).
What are Key Risk Indicators?
As their name states, KRIs are indicators that are key for the risk management process.
- “Key” word implies that there cannot be hundreds of KRIs; so if you have 100+ KRIs, then most likely these are just risk metrics.
Most of the principles that we discussed for KPIs (Key Performance Indicators) apply to KRI:
- They need to have a proper business context,
- Their need to be measurable,
- There have to be a person responsible for KRI,
- There should be a buy in from the team, etc.
Having said that, I recommend checking out the article: 12 Steps KPI System. When reading, replace “KPI” with “KRI” and you can easily use all the same ideas and recommendations.
For now, it is enough to define KRI as those risk metrics that are an important part of your risk management portfolio. As it comes from the definition of the risk in ISO standard, the ultimate decision of what is and is not a risk depends on a company’s objectives, so be careful when copying KRIs from others.
The Difference Between KRI and KPI
In some literature KPIs and KRIs are strongly divided, the first are responsible for business performance and the second are about risk. As an example of a typical KPI that is not a KRI that is often used is “Net Profit.”
- “Net profit is a KPI because it doesn’t tell us anything about the risk level or risk control!” – often suggest authors.
The thing is that “Net profit” by itself doesn’t tell us either anything about performance or the way one wants to increase it!
To make a use of “Net profit” we need to put it in a proper business context, add thresholds, baseline, and target marks, and add some relevant action plan:
- KPI: “Net profit”
- Current level: $200 K
- Baseline: $205 K
- Target: $300 K
- Stop light: red
- Action plan: “We failed because of the old sales team! Hire a new sales team!”
Have a look at this KPI! Doesn’t it look like a KRI now? For sure, we don’t have metrics for probability and impact, but we can easily add them…
Another thought that supports the idea of the similar nature of KRIs and KPIs:
- KPIs need to be aligned with the business strategy; and how one determined this strategy? Didn’t we use SWOT (where T stands for “threats”) method to come up with hypothesis (risk analysis) and possible solutions (risk control)?
Well, I’m exaggerating, but I personally don’t see any fundamental difference. I am ready to argue about this in the comments. For sure, KRIs are more “risk-oriented,” but if one needs, a KRI can be converted into a KPI and vice-versa.
Mapping Risks to KRI. Defining Key Risk Indicators.
Here comes an interesting part. Let’s talk about Risk Management. Managing risks is about managing the chain of:
- Detecting/predicting threats/opportunities
- Estimating the chance that they will happen (their probability)
- Controlling the impact/outcomes
Normally, we cannot map all these aspects of the risk in one KRI, so we will normally need 3 indicators:
- Indicator that would measure probability
- Indicator that would measure the impact
- Indicator that would measure action plan
For example, for such KRI as “Poor mentoring of employees” we would have:
- Time spend on mentoring per week, hours. This indicator estimates risk probability, the less hours one spends mentoring others, and the more likely the company will face this risk.
- Employee engagement index, %. This indicator helps to understand the impact of poor communication. Less mentoring means less engagement from the part of employees.
- Action plan: improve mentoring procedures; relevant indicator might be something like “Leadership training passed, hours.” We need to teach managers a proper leadership paradigm that would include mentoring.
Which of those indicators is a KRI? I’d say that the pair of “probability” and “impact” indicators form the KRI. While the action plan indicator relates to the risk control procedures.
Template for a KRI
Here is a template that one can use for a Key Risk Indicator.
|Risk Indicators||Risk Control Plan||Action Indicator|
|Probability Indicator: ________
Impact Indicator: _________
|Action 1: _________
Action 2: _________
|Indicator 1: _________
Indicator 2: _________
Example discussed above will look like:
|Risk Indicators||Risk Control Plan||Action Indicator|
“Poor mentoring of employees”
Time spend on mentoring per week, hours
Employee engagement index, %
Improve mentoring procedures
Leadership training passed, hours.
Leading/Lagging KPIs vs. Probability/Impact KRIs
When mapping business strategy we always suggest making sure that there are:
- Leading indicators aligned with business objectives,
- Lagging indicators aligned with business objectives, and an
- Action plan.
Compare this to the “probability,” “impact,” and “control plan” and you will see what I mean.
Properly described strategy looks very similar to the properly done risk and control assessment.
How do Risks Appear on the Map? Reporting Culture.
As business objectives are projections of properly defined strategy, risks are projections of a properly done risk analysis.
- The basic step is to start with a classical risk assessment, drawing root-cause diagrams, brainstorming possible problems and getting a list of the risks as a result.
- The most important step is to implement in your company a proper reporting culture. Employees should not only report about evident problems that already happened, but also about situations where they were lucky enough to avoid the problem, but it could have happened. Such reports will allow you to identify risks that you might have not thought about before.
Establish a culture similar to one in NASA: if the problem appeared once, they conducted a careful research about possible reasons why it happened; even if it did not repeat.
How to Use Risk Assessment and Control Model
The risk assessment model that was described above is nothing new, but you need it just as you need a strategy map in business performance management. Specific numbers might be tricky and won’t give you a specific information. Why have this model then?
- As strategy map helps to discuss strategy, risk assessment model/scorecard needs to be a base for further discussions related to the risk identification and control.
In this way you will implement risk control into the company’s DNA. It’s much better than regular formal reporting of KRIs that has nothing to do with real problems.
The List of the Most Popular KRIs
In the free BSC Designer account, you have access to several risk scorecards with a total of 89 KRIs.
To access these Risk Scorecards, follow these steps:
- Sign-up with a free account at BSC Designer Online
- Select New > New Scorecard
- Click on the More templates… menu and scroll down to the KRIs section
Don’t take these risk indicators as must-have for your business. As with KPIs, KRIs need to be aligned with business context, if not, then you will be evaluating and trying to manage risk that will never occur in your business.
GRC Software: KRIs in BSC Designer
As we discussed in the corporate governance article, there is no particular need in a separate GRC software.
Risk indicators are still indicators. They can be automated with the strategy execution software that you are using.
Below, we discuss how the users of BSC Designer can track their KRIs.
Define Risk Mitigation Plan via Initiatives
A risk can be identified for any goal on the scorecard using the Initiatives dialog.
Select any goal on the scorecard and click on the Initiative button:
Click on the Add initiative button:
Enter the details of the risk and the risk mitigation plan:
- Change the type of the initiative to Risk
- Enter the risk definition and risk mitigation plan into the Name and Description fields
- Select an indicator that will be used to quantify risk in the Aligned KPI
- Assign possible budget for the risk mitigation plan
- Add the link to the supporting documentation
- Assign owner for this risk mitigation plan
Visualize Risks on Dashboard
- Switch to the Dashboard tab
- Click the Add button
- Select Initiatives as a type of the chart
- Select root element as a data source
- Select Risk in the initiative type drop list
Define Risk Indicator
Select an indicator and select “Risk” as measurement unit:
Define risk mitigation plan:
Define risk probability:
Define risk impact:
In this case BSC Designer can visualize necessary data on the risk chart:
The main benefit is that indicators can be aligned with objectives on the strategy map:
- Risk is not just a threat, it is a business opportunity as well
- Put KRIs into proper business context
- Implement proper reporting culture
- Use risk scorecard as a base for the risk discussions
2 thoughts on “Key Risk Indicators, Scorecard, and Template”
Your free use tool does not seem to contain specifics for application/product security risk score card creation. I am think of companies which are suppliers of software products into a semi-regulated industry or where regional cybersecurity laws apply to the company because they are a supplier to a Critical Infrastructure Service Provider (CISP). Also, I am looking at trying to map technical risks (eg, embedded OSS component CVE and CWE) to the customer impact business risks of releasing a product with those known, open vulnerabilities in the product image. And, YES, software products are released with known, open vulnerabilities.
Hi Frank, actually users can setup any indicators they need in the software, including the risk metrics that you mentioned. As for having them as a template, it’s a tough topic as in the best case indicators should be tailor made for a specific organization. We’ve gave a general guideline/starting point in the article about measuring quality (https://bscdesigner.com/quality-kpis.htm)